CN114465748A - Attack trapping method and system based on multi-bait dynamic cooperation - Google Patents
Attack trapping method and system based on multi-bait dynamic cooperation Download PDFInfo
- Publication number
- CN114465748A CN114465748A CN202111146930.4A CN202111146930A CN114465748A CN 114465748 A CN114465748 A CN 114465748A CN 202111146930 A CN202111146930 A CN 202111146930A CN 114465748 A CN114465748 A CN 114465748A
- Authority
- CN
- China
- Prior art keywords
- access
- access request
- object value
- target object
- initiating terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Abstract
The application discloses an attack trapping method and system based on multi-bait dynamic cooperation, which relates to the technical field of network security, and comprises the following steps: deploying honeypots based on a plurality of network nodes; establishing a plurality of object value libraries based on object values of a plurality of access objects respectively; acquiring an access request of an access initiating terminal by taking any access object as a target, and judging whether the access request is reasonable or not; if the access request is unreasonable, a virtual path between the access initiating end and the honeypot is constructed; determining a target access object which requests to be accessed according to the access request; and selecting a target object value library corresponding to the target access object, and replying the object value to the access initiating terminal through the honeypot and based on the target object value library. The method and the device have the effect that honeypots can reply to access requests flexibly.
Description
Technical Field
The application relates to the technical field of network security, in particular to an attack trapping method and system based on multi-bait dynamic cooperation.
Background
The computer network attack means that a network attacker obtains illegal rights through illegal means (such as deciphering a password, spoofing and the like) and enables the network attacker to carry out unauthorized operation on an attacked host by using the illegal rights. The main approaches to network attack are: deciphering passwords, IP spoofing, and DNS spoofing.
However, there is also a corresponding defense means for the network attack, in the related technology, a defense system is usually constructed by adopting a honeypot technology to trap and defend the network attack, and by simulating the honeypot into virtual equipment, when the attack direction initiates the network attack to the honeypot, the honeypot replies to the attack direction according to fixed feedback information, thereby playing a role in inducing the attack direction to continue to initiate the network attack to the honeypot, and simultaneously capturing the information of the attack direction to further strengthen the defense system according to the information of the attack direction.
With respect to the related art among the above, the inventors consider that the following drawbacks exist: when the honeypot needs to be protected by a plurality of objects, an attacker may launch an aggressive access request by a plurality of protected objects, and the feedback of the honeypot on the aggressive access request is fixed and single at the moment, and the attacker continuously receives the fixed and single feedback reply, so that the existence of the honeypot is easily identified, and a certain network security risk is generated.
Disclosure of Invention
In order to overcome the defect that honeypots have fixed and single feedback on access requests, the application provides an attack trapping method and system based on multi-bait dynamic cooperation.
In a first aspect, the present application provides an attack trapping method based on multi-bait dynamic collaboration, including the following steps:
deploying honeypots based on a plurality of network nodes;
establishing a plurality of object value libraries based on object values of a plurality of access objects respectively;
acquiring an access request of an access initiating terminal by taking any access object as a target, and judging whether the access request is reasonable or not;
if the access request is unreasonable, a virtual path between the access initiating end and the honeypot is constructed;
determining a target access object which requests to be accessed according to the access request;
and selecting a target object value library corresponding to the target access object, and replying the object value to the access initiating terminal through the honeypot and based on the target object value library.
By adopting the technical scheme, the access initiating terminal can be a normal user or an attacker for carrying out network attack, the honeypot is deployed at a network node, a plurality of object value libraries are established according to object values of different access objects, the object value libraries comprise all possible values corresponding to the access objects, when the access request of the access initiating terminal is obtained, the rationality of the access request is judged firstly, if the request is unreasonable, a connection path is established between the access initiating terminal and the honeypot through a virtual path, the corresponding target object value library is selected according to the target access object requested to be accessed by the access request, the value is taken from the target object value library, and the access initiating terminal is replied through the honeypot. Compared with the fixed single reply preset in the honeypot, if the access request is an access request with aggression of an attacker, the attacker can be confused more easily and the simulation effect of the honeypot on simulating real equipment is better by replying different object values according to different target access objects of the access request.
Optionally, replying the object value to the access initiator based on the target object value library includes the following steps:
judging whether the access request is acquired for the first time;
if the access request is obtained for the first time, randomly extracting any group of object values from the object value library as object values, and returning the object values to the access initiating terminal;
uploading the access request and a target object value corresponding to the access request to a preset first database;
if the access request is not acquired for the first time, analyzing the interesting condition of the access initiating terminal to the target object value according to the first database to obtain an analysis result;
replying different object values to the access initiating terminal according to the analysis result;
uploading the access request and the corresponding object value to the first database.
By adopting the technical scheme, because the target access objects requested to be accessed by the access request are different, the types of the access requests are different, when the access request is acquired, whether the access request of the type is acquired for the first time is judged, if the access request is acquired for the first time, the object value is randomly extracted from the corresponding target object value base for replying, and the access request and the replied target object value are uploaded and stored in the first database; if not, calling the historical data from the first database, analyzing whether the access initiating terminal is interested in the target object value of the historical reply or not, replying according to the analysis result, uploading and storing the access request and the object value replied again into the first database so as to call and analyze again when the same kind of access request is obtained next time.
Optionally, randomly extracting any one group of object values from the target object value library as target object values includes the following steps:
sequencing the time sequence of the object values obtained according to the target object value library, and marking different numbers on all the object values according to the time sequence;
and extracting numbers based on a preset random function to obtain target numbers, and taking object values corresponding to the target numbers as target object values.
By adopting the technical scheme, the object value is extracted by combining the sequencing number and the random function, so that the randomness of the object value in the extraction process can be ensured.
Optionally, analyzing, according to the first database, a situation of interest of the access initiating terminal on the target object value, and obtaining an analysis result includes the following steps:
judging whether the same access request exists in the first database or not based on the access request, wherein the same access request is an access request of a target access object, and the access request is the same as the access request;
if the same access request does not exist in the first database, obtaining a first analysis result, wherein the first analysis result is that the access initiating terminal is not interested in the target object value;
and if the same access requests exist in the first database, analyzing the number of the same access requests to obtain a second analysis result.
By adopting the technical scheme, according to the obtained access request, searching and judging are carried out in the first database, whether the same access request of the same type exists or not is judged, if the same access request does not exist, the obtained access request is not obtained for the first time, and therefore the obtained first analysis result is that the access initiating terminal is not interested in the target object value replied when the access request is obtained for the first time; if the same access request exists, further analysis is performed according to the number of the same access request in the first database.
Optionally, analyzing the number of the same access requests to obtain a second analysis result includes the following steps:
counting the number of the same access requests in the first database;
judging the number based on a preset first number threshold and a preset second number threshold, wherein the second number threshold is smaller than the first number threshold;
if the number exceeds a preset first number threshold, obtaining a second analysis result that the target object value is interested by the access initiating terminal;
if the number does not exceed a preset second number threshold, obtaining a second analysis result that the access initiating terminal is not interested in the target object value;
and if the number exceeds a preset second number threshold and does not exceed a preset first number threshold, performing comprehensive analysis on the same access request and the access request to obtain a second analysis result.
By adopting the technical scheme, the number of the same access requests is counted, and then the counted number is analyzed and judged through a first number threshold and a second number threshold, wherein the first number threshold is larger than the second number threshold, and when the number exceeds the first number threshold, the same target access object is indicated to be accessed by the repeated request of the access request of the type for multiple times, so that a second analysis result obtained through analysis is that the access initiating end is interested in the replied target object value; when the number does not exceed the second number threshold, the same target access object is repeatedly requested to be accessed by the access request of the type, but the repeated times are less, so that the second analysis result obtained by analysis is that the access initiating terminal is not interested in the returned target object value; when the number is between the first number threshold and the second number threshold, then the analysis result needs to be obtained through further analysis of the access request.
Optionally, performing comprehensive analysis on the same access request and the access request to obtain a second analysis result includes the following steps:
acquiring a first semantic meaning of the same access request and a second semantic meaning of the access request;
calculating semantic similarity of the first semantic meaning and the second semantic meaning;
judging whether the semantic similarity exceeds a preset similarity threshold;
if the semantic similarity exceeds the similarity threshold, obtaining a second analysis result that the access initiating terminal is interested in the target object value;
and if the semantic similarity does not exceed the similarity threshold, obtaining a second analysis result that the access initiating terminal is not interested in the target object value.
By adopting the technical scheme, the similarity between the same access request and the access request can be judged by judging the semantic similarity of the first semantic and the second semantic, and a corresponding analysis result is obtained according to the setting of the similarity threshold, if the semantic similarity exceeds the similarity threshold, the overall similarity between the same access request and the access request is high, the access modes and the access purposes of the same access request and the access request are highly similar, and therefore the obtained second analysis result is the target object value of the access initiating terminal; if the semantic similarity does not exceed the similarity threshold, the result shows that the overall similarity of the same access request and the access request is low, so that a second analysis result can be obtained, namely that the access initiating terminal is not interested in the target object value.
Optionally, replying different object values to the access initiator according to the analysis result includes the following steps:
judging whether the access initiating terminal is interested in the target object value or not according to the analysis result;
if the access initiating terminal is interested in the target object value, continuing to reply the target object value to the access initiating terminal; and if the access initiating terminal is not interested in the target object value, re-extracting other object values except the target object value from the target object value library, and replying the other object values to the access initiating terminal.
By adopting the technical scheme, if the access initiating terminal is interested in the target object value, the target object value is not changed, and the same target object value is adopted for replying; if the access initiating terminal is not interested in the target object value, temporarily hiding the target object value from the target object value library, and randomly extracting a group of object values from the target object value library again to be used as a new target object value for replying.
Optionally, the deploying the honeypots based on the plurality of network nodes includes the following steps:
randomly selecting one of the network nodes to be configured as a real node, and configuring other network nodes except the real node as virtual nodes, wherein the real node is a network node connected with an access object;
constructing a virtual network based on the virtual nodes, and randomly selecting at least one virtual node to be configured as a virtual gateway;
deploying honeypots based on the virtual network.
By adopting the technical scheme, the network nodes are adopted to configure the virtual nodes, the virtual network is constructed by the virtual nodes, and the virtual gateway is configured, so that a real network environment can be simulated, honeypots for simulating real equipment are deployed in the virtual network, and the combination of the virtual network and the honeypots is more favorable for trapping network attacks.
In a second aspect, the present application further provides an attack trapping system based on multi-bait dynamic collaboration, including:
the receiving module is used for acquiring an access request of an access initiating terminal;
the analysis module is used for analyzing the access request and judging the rationality of the access request;
the trapping module is deployed with honeypots and is connected with the access object and the analysis module;
when the analysis module judges that the access request is an unreasonable access request, the trapping module establishes a virtual path between the access initiating end and the honeypot.
By adopting the technical scheme, the access initiating terminal can be a normal user or an attacker for carrying out network attack, the honeypot is deployed at a network node, a plurality of object value libraries are established according to object values of different access objects, the object value libraries comprise all possible values corresponding to the access objects, when the access request of the access initiating terminal is obtained, the rationality of the access request is judged firstly, if the request is unreasonable, a connection path is established between the access initiating terminal and the honeypot through a virtual path, the corresponding target object value library is selected according to the target access object requested to be accessed by the access request, the value is taken from the target object value library, and the access initiating terminal is replied through the honeypot. Compared with the fixed single reply preset in the honeypot, if the access request is an access request with aggression of an attacker, the attacker can be confused more easily and the simulation effect of the honeypot on simulating real equipment is better by replying different object values according to different target access objects of the access request.
In summary, the present application includes at least one of the following beneficial technical effects:
1. and selecting a corresponding target object value library according to the target access object requested to be accessed by the access request, taking values from the target object value library and replying to the access initiating terminal through the honeypot. Compared with the fixed single reply preset in the honeypot, if the access request is an access request with aggression of an attacker, the attacker can be easily confused by replying different object values according to different target access objects of the access request, and the simulation effect of the honeypot on simulating real equipment is better.
2. The network nodes are adopted to configure the virtual nodes, a virtual network is constructed by the virtual nodes, and the virtual gateway is configured, so that a real network environment can be simulated, honeypots for simulating real equipment are deployed in the virtual network, and the network attack is better trapped by combining the virtual network and the honeypots.
Drawings
Fig. 1 is a schematic flowchart of an attack trapping method based on multi-bait dynamic collaboration according to an embodiment of the present application.
Fig. 2 is a schematic flowchart of replying an object value to an access initiator based on a target object value library according to an embodiment of the present application.
Fig. 3 is a schematic flow chart of randomly extracting an object value from a target object value library according to an embodiment of the present application.
Fig. 4 is a schematic flowchart illustrating a process of analyzing an interest of an access initiating terminal in a target object value according to an embodiment of the present application.
Fig. 5 is a schematic flowchart of analyzing the number of the same access requests and obtaining an analysis result according to an embodiment of the present disclosure.
Fig. 6 is a flowchart illustrating a process of comprehensively analyzing the same access request and the access request and obtaining an analysis result according to an embodiment of the present application.
FIG. 7 is a flowchart illustrating an embodiment of replying to an object value according to an analysis result.
Fig. 8 is a schematic flow chart of deploying honeypots based on network nodes according to an embodiment of the present application.
Detailed Description
The present application is described in further detail below with reference to figures 1-8.
The embodiment of the application discloses an attack trapping method based on multi-bait dynamic cooperation.
Referring to fig. 1, the attack trapping method based on multi-bait dynamic cooperation includes the following steps:
honeypots are deployed based on multiple network nodes 101.
102, a plurality of object value libraries are established based on object values of a plurality of access objects, respectively.
Wherein, the object value library contains all object values which may exist in the corresponding access object.
103, obtaining an access request of the access initiating terminal targeting any access object, and judging whether the access request is reasonable, if the access request is not reasonable, executing step 104.
The reasonability of the access request can be judged specifically through the security of the access object and the security of the access initiating terminal, if the access request is reasonable, the access initiating terminal is determined to be a normal user, and at the moment, a connection path between the access initiating terminal and the access object which requests access can be established.
And 104, constructing a virtual path between the access initiator and the honeypot.
Because the honeypot is deployed based on normal network nodes, a virtual connection path between an access initiator and an access object can be directly established through route distribution.
And 105, determining a target access object requesting access according to the access request.
And acquiring the destination address information in the access request, and searching to obtain the access object to which the destination address information belongs, wherein the access object is the target access object.
And 106, selecting a target object value library corresponding to the target access object, and replying an object value to the access initiating terminal through the honeypot based on the target object value library.
The implementation principle of the embodiment is as follows:
the honeypot is deployed at a network node, a plurality of object value libraries are established according to object values of different access objects, the object value libraries comprise all possible values corresponding to the access objects, when an access request of an access initiating terminal is obtained, the rationality of the access request is judged firstly, if the request is unreasonable, a connection path is established between the access initiating terminal and the honeypot through a virtual path, a corresponding target object value library is selected according to a target access object requested to be accessed by the access request, the value is taken from the target object value library, and the honeypot replies to the access initiating terminal. Compared with the fixed single reply preset by the honeypot, if the access request is an access request with aggression of an attacker, the attacker can be confused more easily by replying different object values according to different target access objects of the access request, and the simulation effect of the honeypot on simulating real equipment is better.
In step 106 of the embodiment shown in fig. 1, in the process of replying an object value to an access initiator, if the object value is a first reply to a first access request, the object value is randomly extracted from the object value library for replying, and if the object value is not a first reply to the first access request, the object value needs to be replied to the object value according to an analysis result obtained by analyzing the situation of interest of the access initiator on the object value historically replied to obtain the analysis result, which is specifically described in detail with the embodiment shown in fig. 2.
Referring to fig. 2, replying an object value to an access originator based on a target object value library includes the steps of:
201, judging whether the access request is obtained for the first time, if so, executing step 202; if not, go to step 204.
And 202, randomly extracting any group of object values from the object value library as object values, and returning the object values to the access initiator.
And 203, uploading the access request and a target object value corresponding to the access request to a preset first database.
And 204, analyzing the interesting condition of the access initiating terminal on the target object value according to the first database to obtain an analysis result.
205, replying different object values to the access initiator according to the analysis result.
206, the access request and the corresponding object value are uploaded to the first database.
The implementation principle of the embodiment is as follows:
the access requests are different in target access objects requested to be accessed, so that the types of the access requests are different, when the access requests are acquired, whether the access requests of the types are acquired for the first time is judged, if the access requests are acquired for the first time, object values are randomly extracted from a corresponding target object value base to reply, and the access requests and the replied target object values are uploaded and stored in a first database; if not, calling the historical data from the first database, analyzing whether the access initiating terminal is interested in the target object value of the historical reply or not, replying according to the analysis result, uploading and storing the access request and the object value replied again into the first database so as to call and analyze again when the same kind of access request is obtained next time.
In step 202 of the embodiment shown in fig. 2, the object value is extracted from the object value library by using a random function, which is described in detail with reference to the embodiment shown in fig. 3.
Referring to fig. 3, randomly extracting an object value from a target object value library includes the steps of:
301, the sequence of the object values obtained according to the target object value library is sorted, and all the object values are marked with different numbers according to the sequence.
And 302, extracting numbers based on a preset random function to obtain target numbers, and taking object values corresponding to the target numbers as target object values.
In step 204 of the embodiment shown in fig. 2, each time the access request is obtained and the reply is made, the access request and the corresponding target object value are uploaded to the first database, so that whether the access initiating terminal is interested in the target object value can be analyzed by analyzing the data stored in the first database, which is specifically described in detail with the embodiment shown in fig. 4.
Referring to fig. 4, analyzing the interest of the access initiating terminal in the target object value includes the following steps:
401, judging whether the same access request exists in the first database based on the access request, if not, executing step 402; if yes, go to step 403.
Wherein, the same access request is the same access request of the target access object and the access request.
402, obtaining a first analysis result.
And the first analysis result is that the access initiating terminal is not interested in the target object value.
And 403, analyzing the number of the same access requests to obtain a second analysis result.
The implementation principle of the embodiment is as follows:
according to the obtained access request, carrying out retrieval judgment in a first database, judging whether the same access request of the same kind exists or not, if the same access request does not exist, obtaining a first analysis result that the access initiating terminal is not interested in a target object value replied when the access request is obtained for the first time because the obtained access request is not obtained for the first time; if the same access request exists, further analysis is performed according to the number of the same access request in the first database.
In step 403 of the embodiment shown in fig. 4, the number can be analyzed in detail by presetting a threshold, and the embodiment shown in fig. 5 is used for detailed explanation.
Referring to fig. 5, analyzing the number of identical access requests and obtaining an analysis result includes the steps of:
and 501, counting the number of the same access requests in the first database.
502, judging the number based on a preset first number threshold and a preset second number threshold, and if the number exceeds the preset first number threshold, executing step 503; if the number does not exceed the preset second number threshold, go to step 504; if the number exceeds the second number threshold and does not exceed the first number threshold, step 505 is executed.
Wherein the second number threshold is less than the first number threshold.
And 503, obtaining a second analysis result that the access initiating terminal is interested in the target object value.
And 504, obtaining a second analysis result that the access initiating terminal is not interested in the target object value.
505, the same access request and the access request are comprehensively analyzed to obtain a second analysis result.
The implementation principle of the embodiment is as follows:
counting the number of the same access requests, analyzing and judging the counted number through a first number threshold and a second number threshold, wherein the first number threshold is larger than the second number threshold, and when the number exceeds the first number threshold, the same target access object is repeatedly accessed by the access request of the type for multiple times, so that a second analysis result obtained through analysis is that the access initiating terminal is interested in the replied target object value; when the number does not exceed the second number threshold, the same target access object is repeatedly requested to be accessed by the access request of the type, but the repeated times are less, so that the second analysis result obtained by analysis is that the access initiating terminal is not interested in the returned target object value; when the number is between the first number threshold and the second number threshold, then the analysis result needs to be obtained through further analysis of the access request.
In step 505 of the embodiment shown in fig. 5, further analysis may be continued according to the same access request and the similarity between the access requests, which is specifically described in detail by the embodiment shown in fig. 6.
Referring to fig. 6, comprehensively analyzing the same access request and obtaining an analysis result includes the steps of:
601, a first semantic of the same access request and a second semantic of the access request are obtained.
And 602, calculating semantic similarity of the first semantic meaning and the second semantic meaning.
603, judging whether the semantic similarity exceeds a preset similarity threshold, if so, executing a step 604; if not, go to step 605.
And 604, obtaining a second analysis result as that the access initiating terminal is interested in the target object value.
605, obtaining a second analysis result that the access initiating terminal is not interested in the target object value.
The implementation principle of the embodiment is as follows:
by judging the semantic similarity of the first semantic and the second semantic, the similarity between the same access request and the access request can be judged, and a corresponding analysis result is obtained according to the setting of a similarity threshold, if the semantic similarity exceeds the similarity threshold, the overall similarity between the same access request and the access request is high, the access modes and the access purposes of the same access request and the access request are also highly similar, and therefore the obtained second analysis result is that the access initiating terminal is interested in the target object value; if the semantic similarity does not exceed the similarity threshold, the result shows that the overall similarity of the same access request and the access request is low, and therefore a second analysis result can be obtained, namely that the access initiating terminal is not interested in the target object value.
In the steps of the embodiments shown in fig. 2 to fig. 6, the access request is comprehensively analyzed based on the first database, and an analysis result indicating whether the access initiator is interested in the target object value is obtained, so that the object value can be selected according to the analysis result to reply, which is specifically described in detail with the embodiment shown in fig. 7.
Referring to fig. 7, replying an object value according to the analysis result includes the steps of:
701, judging whether the access initiating terminal is interested in the target object value according to the analysis result, if so, executing a step 702; if not, go to step 703.
And (702) continuing to reply the target object value to the access initiator.
703, re-extracting other object values except for a group of object values from the object value library, and replying other object values to the access initiator.
The implementation principle of the embodiment is as follows:
if the access initiating terminal is interested in the target object value, the target object value is not changed, and the same target object value is adopted for replying; if the access initiating terminal is not interested in the target object value, temporarily hiding the target object value from the target object value library, and randomly extracting a group of object values from the target object value library again to be used as a new target object value for replying.
In step 101 of the embodiment shown in fig. 1, a virtual node is configured by using a real network node, a virtual network is constructed, and then honeypot simulation real equipment is deployed, which is specifically described in detail with the embodiment shown in fig. 8.
Referring to fig. 8, the deployment of honeypots based on network nodes includes the steps of:
801, one of the network nodes is arbitrarily selected to be configured as a real node, and other network nodes except the real node are configured as virtual nodes.
Wherein, the real node is a network node connected with the access object.
And 802, constructing a virtual network based on the virtual nodes, and randomly selecting at least one virtual node to configure as a virtual gateway.
And 803, deploying the honeypots based on the virtual network.
The implementation principle of the embodiment is as follows:
the network nodes are adopted to configure the virtual nodes, a virtual network is constructed by the virtual nodes, and the virtual gateway is configured, so that a real network environment can be simulated, honeypots for simulating real equipment are deployed in the virtual network, and the combination of the virtual network and the honeypots is more favorable for trapping network attacks.
The embodiment also discloses an attack trapping system based on multi-bait dynamic collaboration, which includes:
the receiving module is used for acquiring an access request of an access initiating terminal;
the analysis module is used for analyzing the access request and judging the rationality of the access request;
the trapping module is deployed with honeypots and is connected with the access object and the analysis module;
when the analysis module judges that the access request is an unreasonable access request, the trapping module establishes a virtual path between the access initiating end and the honeypot.
The implementation principle of the embodiment is as follows:
the method comprises the steps that an access initiating terminal is possibly a normal user or an attacker for carrying out network attack, honeypots are deployed at network nodes, a plurality of object value libraries are established according to object values of different access objects, the object value libraries comprise all possible values corresponding to the access objects, when an access request of the access initiating terminal is obtained, the rationality of the access request is judged firstly, if the request is unreasonable, a connection path is established between the access initiating terminal and the honeypots through a virtual path, a corresponding target object value library is selected according to a target access object requested to be accessed by the access request, values are taken from a target object value library, and the honeypots reply is carried out to the access initiating terminal. Compared with the fixed single reply preset in the honeypot, if the access request is an access request with aggression of an attacker, the attacker can be confused more easily and the simulation effect of the honeypot on simulating real equipment is better by replying different object values according to different target access objects of the access request.
The above embodiments are preferred embodiments of the present application, and the protection scope of the present application is not limited by the above embodiments, so: all equivalent changes made according to the structure, shape and principle of the present application shall be covered by the protection scope of the present application.
Claims (9)
1. An attack trapping method and system based on multi-bait dynamic cooperation are characterized by comprising the following steps:
deploying honeypots based on a plurality of network nodes;
establishing a plurality of object value libraries based on object values of a plurality of access objects respectively;
acquiring an access request of an access initiating terminal by taking any access object as a target, and judging whether the access request is reasonable or not;
if the access request is unreasonable, a virtual path between the access initiating end and the honeypot is constructed;
determining a target access object which requests to be accessed according to the access request;
and selecting a target object value library corresponding to the target access object, and replying the object value to the access initiating terminal through the honeypot and based on the target object value library.
2. The multi-bait dynamic collaboration-based attack trapping method according to claim 1, wherein said replying the object value to the access initiator based on the target object value library comprises the following steps:
judging whether the access request is acquired for the first time;
if the access request is obtained for the first time, randomly extracting any group of object values from the object value library as object values, and returning the object values to the access initiating terminal;
uploading the access request and a target object value corresponding to the access request to a preset first database;
if the access request is not acquired for the first time, analyzing the interesting condition of the access initiating terminal on the target object value according to the first database to obtain an analysis result;
replying different object values to the access initiating terminal according to the analysis result;
uploading the access request and the corresponding object value to the first database.
3. The multi-bait dynamic cooperation-based attack trapping method according to claim 2, wherein the randomly extracting any one group of object values from the target object value library as target object values comprises the following steps:
sequencing the time sequence of the object values obtained according to the target object value library, and marking different numbers on all the object values according to the time sequence;
and extracting numbers based on a preset random function to obtain target numbers, and taking object values corresponding to the target numbers as target object values.
4. The attack trapping method based on multi-bait dynamic collaboration as claimed in claim 2, wherein the analyzing the interest of the access initiator in the target object value according to the first database to obtain an analysis result comprises the following steps:
judging whether the same access request exists in the first database or not based on the access request, wherein the same access request is an access request of which the target access object is the same as the access request;
if the same access request does not exist in the first database, obtaining a first analysis result, wherein the first analysis result is that the access initiating terminal is not interested in the target object value;
and if the same access requests exist in the first database, analyzing the number of the same access requests to obtain a second analysis result.
5. The method for trapping attacks based on multi-bait dynamic collaboration, according to claim 4, wherein the analyzing the number of the same access requests to obtain a second analysis result comprises the following steps:
counting the number of the same access requests in the first database;
judging the number based on a preset first number threshold and a preset second number threshold, wherein the second number threshold is smaller than the first number threshold;
if the number exceeds a preset first number threshold, obtaining a second analysis result that the target object value is interested by the access initiating terminal;
if the number does not exceed a preset second number threshold, obtaining a second analysis result that the access initiating terminal is not interested in the target object value;
and if the number exceeds a preset second number threshold and does not exceed a preset first number threshold, performing comprehensive analysis on the same access request and the access request to obtain a second analysis result.
6. The multi-bait dynamic cooperation-based attack trapping method according to claim 5, wherein said comprehensively analyzing the same access request and the access request to obtain a second analysis result comprises the following steps:
acquiring a first semantic meaning of the same access request and a second semantic meaning of the access request;
calculating semantic similarity of the first semantic meaning and the second semantic meaning;
judging whether the semantic similarity exceeds a preset similarity threshold;
if the semantic similarity exceeds the similarity threshold, obtaining a second analysis result that the access initiating terminal is interested in the target object value;
and if the semantic similarity does not exceed the similarity threshold, obtaining a second analysis result that the access initiating terminal is not interested in the target object value.
7. The attack trapping method based on multi-bait dynamic cooperation according to any one of claims 2 to 6, wherein the step of replying different object values to the access initiator according to the analysis result comprises the following steps:
judging whether the access initiating terminal is interested in the target object value according to the analysis result;
if the access initiating terminal is interested in the target object value, continuing to reply the target object value to the access initiating terminal;
and if the access initiating terminal is not interested in the target object value, re-extracting other object values except the target object value from the target object value library, and replying the other object values to the access initiating terminal.
8. The multi-bait dynamic collaboration-based attack trapping method according to claim 1, wherein the step of deploying honeypots based on a plurality of network nodes comprises the following steps:
randomly selecting one of the network nodes to be configured as a real node, and configuring other network nodes except the real node as virtual nodes, wherein the real node is a network node connected with an access object;
constructing a virtual network based on the virtual nodes, and randomly selecting at least one virtual node to be configured as a virtual gateway;
deploying honeypots based on the virtual network.
9. An attack trapping system based on multi-bait dynamic cooperation, comprising:
the receiving module is used for acquiring an access request of an access initiating terminal;
the analysis module is used for analyzing the access request and judging the rationality of the access request;
the trapping module is deployed with honeypots and is connected with the access object and the analysis module;
when the analysis module judges that the access request is an unreasonable access request, the trapping module establishes a virtual path between the access initiating end and the honeypot.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111146930.4A CN114465748B (en) | 2021-09-28 | 2021-09-28 | Attack trapping method and system based on multi-bait dynamic cooperation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111146930.4A CN114465748B (en) | 2021-09-28 | 2021-09-28 | Attack trapping method and system based on multi-bait dynamic cooperation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114465748A true CN114465748A (en) | 2022-05-10 |
| CN114465748B CN114465748B (en) | 2022-10-11 |
Family
ID=81405795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111146930.4A Active CN114465748B (en) | 2021-09-28 | 2021-09-28 | Attack trapping method and system based on multi-bait dynamic cooperation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465748B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2713581A1 (en) * | 2012-09-28 | 2014-04-02 | Juniper Networks, Inc. | Virtual honeypot |
| EP3041190A1 (en) * | 2014-12-30 | 2016-07-06 | Juniper Networks, Inc. | Dynamic service handling using a honeypot |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN109246108A (en) * | 2018-09-18 | 2019-01-18 | 中国人民解放军战略支援部队信息工程大学 | Mimicry honey jar fingerprint obscures system, method and its SDN network framework |
| CN112738128A (en) * | 2021-01-08 | 2021-04-30 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
-
2021
- 2021-09-28 CN CN202111146930.4A patent/CN114465748B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2713581A1 (en) * | 2012-09-28 | 2014-04-02 | Juniper Networks, Inc. | Virtual honeypot |
| EP3041190A1 (en) * | 2014-12-30 | 2016-07-06 | Juniper Networks, Inc. | Dynamic service handling using a honeypot |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN109246108A (en) * | 2018-09-18 | 2019-01-18 | 中国人民解放军战略支援部队信息工程大学 | Mimicry honey jar fingerprint obscures system, method and its SDN network framework |
| CN112738128A (en) * | 2021-01-08 | 2021-04-30 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114465748B (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111756712B (en) | Method for forging IP address and preventing attack based on virtual network equipment | |
| CN101582833B (en) | Method and device for processing spoofed IP data packet | |
| Osanaiye | Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing | |
| CN109088901A (en) | Deception defence method and system based on SDN building dynamic network | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN111371758A (en) | Network spoofing efficiency evaluation method based on dynamic Bayesian attack graph | |
| CN109194680A (en) | A kind of network attack identification method, device and equipment | |
| CN1889573A (en) | Active decoy method and system | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| US20210360013A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN109450955A (en) | A kind of flow processing method and device based on network attack | |
| CN113206858A (en) | Mobile target defense method based on internet of things DDoS attack | |
| CN114157450A (en) | Internet of things honeypot-based network attack induction method and device | |
| CN111314379B (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| CN114584359B (en) | Security trapping method, device and computer equipment | |
| CN111787021A (en) | Attack behavior-based honey bait generation method, device, equipment and medium | |
| Eldos et al. | On the KDD'99 Dataset: Statistical Analysis for Feature Selection | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN114465748B (en) | Attack trapping method and system based on multi-bait dynamic cooperation | |
| CN113162892A (en) | POC verification environment rapid generation method, readable medium and equipment | |
| CN113726775B (en) | Attack detection method, device, equipment and storage medium | |
| CN112615713B (en) | Method and device for detecting hidden channel, readable storage medium and electronic equipment | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| CN111541675B (en) | Network security protection method, device and equipment based on white list | |
| CN111031068B (en) | DNS analysis method based on complex network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |